New EU ePrivacy Directive opens doors for personal data services
An updated proposal for the Regulation on Privacy and Electronic Communications was published this month. The EU’s famous ‘cookie laws’ have long been a poster-child example of how badly thought-through regulation can make a bad situation worse. The well-intentioned laws were supposed to empower individuals to control the use of cookies via consent. But because they imposed the lethal combination of extra admin hassle plus significant cognitive load (requiring users to educate themselves on what cookies are, how they work, etc.) they ended up as a counter-productive laughing stock — with consumers being presented with irritating banners that led them to details that a) they struggled to understand and b) didn’t really provide them with any real options.
The end result was that they simply agreed to everything that was presented to them, often giving ‘consent’ to even more invasive data practices than had existed before.
The solution to the core problems of admin hassle and cognitive overload is a new type of service: a single consents and permissions dashboard which enables individuals to specify the terms on which they want to do business (e.g. ‘only use my data for the purpose of providing the service I asked for’, ‘don’t share my data with third parties’), and which expresses these common wishes in a standardised form. In this way, genuine service providers can find it easy to verify that their privacy policies align with their customers’ desires.
Because this solution is centred on the individual and operates in a standardised way, the vast majority of consents and permission can be automated, providing a highly efficient, trustworthy mechanism for both service providers and their customers.
Such a service has long been a core component of the Mydex Platform — 3 APIs for identity, consent and data management, built on open standards — already a live service ready for use by any service provider who wishes to adopt it.
With its proposed new ePrivacy Directive, the EC has taken a major step towards recognising this person-centric approach as the best way forward. In future, it says, individuals should be able to specify their privacy preferences as they relate to cookies (e.g. ‘no third party tracking’) in a ‘centralised’ way (i.e, centralised around the individual) via the software services they use to access and transmit information online.
Article 10 says:
1. Software placed on the market permitting electronic communications, including the retrieval and presentation of information from the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-users or processing information already stored on that equipment.
2. Upon installation, the software shall inform the end-user about the privacy setting options and, to continue with the installation, require the user to consent to a setting. In the case of software that has already been installed, this should happen with the next update.
This is a significant departure from traditional European data thinking, pointing to a critically important direction of travel around personal data: towards privacy as a personal setting (not just an organisational ‘policy’), users in control, individuals as the point of integration of their own data.
New questions
The proposed new ‘cookie law’ (which will repeal its disastrous forerunner) does, of course, raise its own questions and potential pitfalls.
The commentary accompanying the regulation names web browsers as potential candidates to fulfil the role of the individual’s ‘preference engine’. Limiting the offer to web browsers presents a variety of problems. The first significant issue is consistency: the current leading browsers are owned and managed by a variety of private companies with varying business models and vested interests. Not only this, but many users also use multiple browsers, each one for a different purpose. The possibility of successfully extending the ‘centralised control’ mentioned in the proposal across competing browser technologies seems unrealistic.
However, Article 10 of the proposed Regulation itself is less specific about the technology that underpins the consent and control mechanisms. As cited above, it is described as “software placed on the market permitting electronic communications, including the retrieval and presentation of information from the internet”. This is a much broader specification. The ultimate aim is accessible and, most importantly, device agnostic solutions. This could be a service accessed via a browser, or a plugin for the browser itself, offered by a third party specialising in permissions and consent management.
The EC is also all but inviting marketers to seek exemptions from restrictions set up by individuals — something which could create a pop-up explosion that makes today’s cookie banner nuisance look like small beer indeed.
But, in a sense, these are good problems to have. They focus on how to make the right basic idea work rather than forcing through work-arounds for an approach that can never work satisfactorily (the organisation-centric approach of forcing individuals to deal with each organisation’s unique privacy policies and practices separately).
While 3rd party data land-grabbers would suffer under this Regulation, the vast majority of organisations in both public and private sectors, which just want to get business done with customers efficiently and effectively, would benefit from much simpler, standardised processes that enhance trust. That’s assuming the implementation focus is on creating simple, standard default positions rather than using ‘consent’ to create unnecessary complexity.
Longer term, along with other developments such as data portability, the door that’s now been opened to person-centric data practices (where the individual is the point of integration of consents and permissions and, ultimately, of their data) creates massive new opportunities for genuine person-centric data-driven services.
Change is afoot, but as we’ve said, much of the hard work of finding practical solutions to implementation problems for this approach has already been done.
